This detection rule identifies potentially compromised GovDelivery emails that contain links to suspicious domains. GovDelivery is used by various government agencies to communicate with citizens; however, it has been observed that compromised accounts can be exploited to send phishing messages. The rule focuses on emails sent from the domain public.govdelivery.com, which have passed SPF and DMARC checks, indicating they are likely legitimate in terms of email authentication. It analyzes the body of the email for links, filtering out those that may lead to non-governmental domains, URL shorteners, newly registered domains, or domains associated with redirection techniques often used in phishing schemes. Additional checks are performed on the age of domains and their redirect behaviors to further assess risk. The determination involves rigorous analysis using natural language understanding, URL analysis, and WHOIS data to enhance accuracy and minimize false positives.